The most dangerous security-related software errors, according to the OWASP Top Ten 2017 list, affect web applications. They are potential injection attacks that exploit user-provided data to execute undesired operations: database access and updates ( SQL injection ); generation of malicious web pages ( cross-site scripting injection ); redirection to user-specified web pages ( redirect injection ); execution of OS commands and arbitrary scripts ( command injection ); loading of user-specified, possibly heavy or dangerous classes at run time ( reflection injection ); access to arbitrary files on the file system ( path-traversal ); and storing user-provided data into heap regions normally assumed to be shielded from the outside world ( trust boundary violation ). All these attacks exploit the same weakness: unconstrained propagation of data from sources that the user of a web application controls into sinks whose activation might trigger dangerous operations. Although web applications are written in a variety of languages, Java remains a frequent choice, in particular for banking applications, where security has tangible relevance. This article defines a unified, sound protection mechanism against such attacks, based on the identification of all possible explicit flows of tainted data in Java code. Such flows can be arbitrarily complex, passing through dynamically allocated data structures in the heap. The analysis is based on abstract interpretation and is interprocedural, flow-sensitive, and context-sensitive. Its notion of taint applies to reference (non-primitive) types dynamically allocated in the heap and is object-sensitive and field-sensitive. The analysis works by translating the program into Boolean formulas that model all possible data flows. Its implementation, within the Julia analyzer for Java and Android, found injection security vulnerabilities in the Internet banking service and in the customer relationship management of large Italian banks, as well as in a set of open-source third-party applications. It found the command injection, which is at the origin of the 2017 Equifax data breach, one of the worst data breaches ever. For objective, repeatable results, this article also evaluates the implementation on two open-source security benchmarks: the Juliet Suite and the OWASP Benchmark for the automatic comparison of static analyzers for cybersecurity. We compared this technique against more than 10 other static analyzers, both free and commercial. The result of these experiments is that ours is the only analysis for injection that is sound (up to well-stated limitations such as multithreading and native code) and works on industrial code, and it is also much more precise than other tools.

中文翻译：

---

Java中注入攻击的静态识别

根据 OWASP 2017 年十大榜单，最危险的安全相关软件错误会影响 Web 应用程序。它们是潜在的注入攻击，利用用户提供的数据来执行不需要的操作：数据库访问和更新（SQL注入); 恶意网页的生成（跨站脚本注入); 重定向到用户指定的网页（重定向注入); 执行操作系统命令和任意脚本（命令注入); 在运行时加载用户指定的、可能很重或危险的类（反射注入); 访问文件系统上的任意文件（路径遍历); 并将用户提供的数据存储到通常假定与外界隔绝的堆区域中（违反信任边界）。所有这些攻击都利用了相同的弱点：不受约束地从来源Web 应用程序的用户控制到汇其激活可能会触发危险操作。尽管 Web 应用程序是用多种语言编写的，但 Java 仍然是一种常见的选择，特别是对于银行应用程序而言，安全性具有切实的相关性。本文基于对所有可能的显式流的识别，定义了针对此类攻击的统一、完善的保护机制。污染Java 代码中的数据。这样的流程可以任意复杂，通过堆中动态分配的数据结构。该分析基于抽象解释，并且是跨过程的、流敏感的和上下文敏感的。它的污点概念适用于在堆中动态分配的引用（非原始）类型，并且是对象敏感和字段敏感的。该分析通过将程序转换为对所有可能的数据流进行建模的布尔公式来进行。它在 Java 和 Android 的 Julia 分析器中的实施发现了互联网银行服务和意大利大型银行的客户关系管理以及一组开源第三方应用程序中的注入安全漏洞。它发现了命令注入，这是 2017 年 Equifax 数据泄露的根源，有史以来最严重的数据泄露事件之一。为了获得客观、可重复的结果，本文还评估了两个开源安全基准的实现：Juliet Suite 和 OWASP 基准，用于自动比较网络安全的静态分析器。我们将此技术与 10 多种其他静态分析器进行了比较，包括免费的和商业的。这些实验的结果是，我们的注入分析是唯一可靠的（达到明确的限制，如多线程和本机代码）并且适用于工业代码，并且它也比其他工具更精确。Juliet Suite 和 OWASP Benchmark 用于自动比较网络安全的静态分析器。我们将此技术与 10 多种其他静态分析器进行了比较，包括免费的和商业的。这些实验的结果是，我们的注入分析是唯一可靠的（达到明确的限制，如多线程和本机代码）并且适用于工业代码，并且它也比其他工具更精确。Juliet Suite 和 OWASP Benchmark 用于自动比较网络安全的静态分析器。我们将此技术与 10 多种其他静态分析器进行了比较，包括免费的和商业的。这些实验的结果是，我们的注入分析是唯一可靠的（达到明确的限制，如多线程和本机代码）并且适用于工业代码，并且它也比其他工具更精确。